OB_POST_OPERATION_INFORMATION - NtDoc

Native API online documentation, based on the System Informer (formerly Process Hacker) phnt headers 
// wdm.h

typedef struct _OB_POST_OPERATION_INFORMATION {
  OB_OPERATION                  Operation;
  union {
    ULONG Flags;
    struct {
      ULONG KernelHandle : 1;
      ULONG Reserved : 31;
    };
  };
  PVOID                         Object;
  POBJECT_TYPE                  ObjectType;
  PVOID                         CallContext;
  NTSTATUS                      ReturnStatus;
  POB_POST_OPERATION_PARAMETERS Parameters;
} OB_POST_OPERATION_INFORMATION, *POB_POST_OPERATION_INFORMATION;
View the official Windows Driver Kit DDI reference

NtDoc

No description available.

Edit description on GitHub

Windows Driver Kit DDI reference (ns-wdm-_ob_post_operation_information)

_OB_POST_OPERATION_INFORMATION structure

Description

The OB_POST_OPERATION_INFORMATION structure provides information about a process or thread handle operation to an ObjectPostCallback routine.

Members

Operation

The type of handle operation. This member might be one of the following values:

OB_OPERATION_HANDLE_CREATE

A new handle to a process or thread was created. Use Parameters->CreateHandleInformation for create-specific information.

OB_OPERATION_HANDLE_DUPLICATE

A process or thread handle was duplicated. Use Parameters->DuplicateHandleInformation for duplicate-specific information.

Flags

Reserved. Use the KernelHandle member instead.

KernelHandle

A ULONG value that specifies whether the handle is a kernel handle. If this value is TRUE, the handle is a kernel handle. Otherwise, the handle is not a kernel handle.

Reserved

Reserved for system use.

Object

A pointer to the process or thread object that is the target of the handle operation.

ObjectType

A pointer to the object type of the object. This type can be PsProcessType for a process or PsThreadType for a thread.

CallContext

A pointer to driver-specific context information for the operation. This value is the value that the OperationInformation->CallContext member specifies to the ObjectPreCallback routine.

ReturnStatus

The NTSTATUS value for the handle operation.

Parameters

A pointer to an OB_POST_OPERATION_PARAMETERS union that contains operation-specific information. The Operation member determines which member of the union is valid. The pointer is valid only when ReturnStatus is a success code.

Remarks

Unlike the OB_PRE_OPERATION_INFORMATION structure, the members of the OB_POST_OPERATION_INFORMATION structure are purely informational; you cannot modify them.

See also

OB_PRE_OPERATION_INFORMATION

ObjectPostCallback

ObjectPreCallback

View the official Windows Driver Kit DDI reference

Edit description on GitHub